locked
Where-Object breaks script RRS feed

  • Question

  • I need to pull a list of accounts from a single OU that have 2 specific values in 2 attributes, these accounts also need to have not reset their passwords in a number of days.

    I can run part of my script and get the accounts without password reset in the given number of days, but as soon as I add a condition looking for either of the attribute values it returns 0 results, even though I know there are thousands of them

    The code I am trying is 

    $PasswordAge = 30
    $time = (Get-Date).Adddays(-($PasswordAge))
    Get-ADUser -ResultpageSize 20000 -Filter {pwdLastSet -lt $time} -SearchBase "ou=MYOU,dc=domain,dc=com" | Where-Object {$_.customattribute -contains 'Value'} | Where-Object {$_.memberof -contains 'CN=Group Name,OU=Security Groups (Mail Enabled),DC=domain,DC=com'} Select-Object sAMAccountName |  ConvertTo-Csv -NoTypeInformation |  Select-Object -Skip 1 | Set-Content -Path "c:\users\test.csv"

    So this should give me all accounts in MYOU with a password reset date of 30 days or more in the past with the given values in customattribute and memberof. The results should be saved to a csv on my C drive with the column headercremoved and only the saMAccountName attribute should be listed.

    If I run just 

    $PasswordAge = 30
    $time = (Get-Date).Adddays(-($PasswordAge))
    Get-ADUser -ResultpageSize 20000 -Filter {pwdLastSet -lt $time} -SearchBase "ou=MYOU,dc=domain,dc=com" | Select-Object sAMAccountName |  

    I get all the sAMAccountName values for users in the OU with no password reset in 30 days or more scrolling down the screen, if I add the code to export to csv I get the same results saved to the csv file

    What am I doing wrong?


    • Edited by GADavies Wednesday, June 24, 2020 4:28 PM correction
    Wednesday, June 24, 2020 3:56 PM

Answers

  • Also, you have to ask for the extra attributes, or they won't be there.


    get-aduser js -property memberof,customattribute

    • Edited by JS2010 Wednesday, June 24, 2020 5:56 PM
    • Marked as answer by GADavies Wednesday, June 24, 2020 6:21 PM
    Wednesday, June 24, 2020 5:56 PM

All replies

  • Is there a pipe symbol before select-object?  Pwdlastset is in the filetime format, not the datetime format.  We don't know what customattribute is, but -contains only works with complete array elements, not substrings.
    • Edited by JS2010 Wednesday, June 24, 2020 5:03 PM
    Wednesday, June 24, 2020 4:58 PM
  • In the code I'm using there is, I edited to remove the actual OU etc. and deleted the pipe accidentally. Thing is, even if this is removed I get zero results, the where-object conditions are what breaks this

    Wednesday, June 24, 2020 5:09 PM
  • Does it work with just the memberof where-object?  $time should be:


    $time = $time.ToFileTime()

    • Edited by JS2010 Wednesday, June 24, 2020 5:15 PM
    Wednesday, June 24, 2020 5:15 PM
  • Adding ANY where-object means I get zero results.

    Running 

    $PasswordAge = 30
    $time = (Get-Date).Adddays(-($PasswordAge))
    Get-ADUser -ResultpageSize 20000 -Filter {pwdLastSet -lt $time} -SearchBase "ou=MYOU,dc=domain,dc=com" 

    gives me default attributes for ALL accounts in the OU with no password reset in the last 30 days. Running

    $PasswordAge = 30
    $time = (Get-Date).Adddays(-($PasswordAge))
    Get-ADUser -ResultpageSize 20000 -Filter {pwdLastSet -lt $time} -SearchBase "ou=MYOU,dc=domain,dc=com" | Select-Object sAMAccountName 

    Gives me just sAMAccountName for all accounts in the OU with no password reset in the last 30 days. Running 

    $PasswordAge = 30
    $time = (Get-Date).Adddays(-($PasswordAge))
    Get-ADUser -ResultpageSize 20000 -Filter {pwdLastSet -lt $time} -SearchBase "ou=MYOU,dc=domain,dc=com" | Where-Object {$_.customattribute -contains 'Value'} 

    Gives me nothing, if I replace the where-object code with any other where-object condition I get no results.

    Adding the where-object condition or conditions means I get no results

    Wednesday, June 24, 2020 5:30 PM
  • Some people get confused about what -contains does.  It has to match the whole array element, not part of an element.  Without knowing the exact code, we can only guess.


    'hi','there' -contains 'hi'
    True

    'hi','there' -contains 'h'
    False

    • Edited by JS2010 Wednesday, June 24, 2020 5:38 PM
    Wednesday, June 24, 2020 5:37 PM
  • I am aware of this, I am using the full value I need to filter by, so the member of where-object uses the FQDN of the group, the customattriute where-object is using the full value.

    Both attributes I am trying to filter on are multi value attributes, I need to find accounts with specific values in each of these attributes. I have used this in other scripts and got what I needed, for some reason using the same code here fails.



    • Edited by GADavies Wednesday, June 24, 2020 5:53 PM spelling correction
    Wednesday, June 24, 2020 5:43 PM
  • Also, you have to ask for the extra attributes, or they won't be there.


    get-aduser js -property memberof,customattribute

    • Edited by JS2010 Wednesday, June 24, 2020 5:56 PM
    • Marked as answer by GADavies Wednesday, June 24, 2020 6:21 PM
    Wednesday, June 24, 2020 5:56 PM
  • $time test.  Maybe it works.


    get-aduser -filter {pwdlastset -lt $time} -ResultSetSize 5 -property pwdlastset |
      % { [datetime]::fromfiletime($_.pwdlastset) }

    Sunday, December 31, 1600 7:00:00 PM
    Tuesday, November 24, 2015 12:19:24 PM
    Tuesday, May 23, 2017 4:36:18 PM
    Tuesday, January 12, 2016 3:13:14 PM
    Monday, January 8, 2018 10:12:23 AM

    • Edited by JS2010 Wednesday, June 24, 2020 6:21 PM
    Wednesday, June 24, 2020 6:11 PM
  • that fixed it, thanks
    Wednesday, June 24, 2020 6:21 PM